Here’s our guide on how to protect your business from fraud.

For many small business owners hiring someone to manage their finances is a great move. However, unprepared business owners could be opening themselves up to fraud.

When a business owner starts out it’s often just them handling every aspect of the business.  As the business grows they gradually build a team of both internal staff and contractors and usually this will include a bookkeeper.

In a recent Association of Certified Fraud Examiners report Survey participants estimated that the typical organization loses 5% of revenues each year to fraud.

According to the ACFE’s 2016 Report to the Nations, the estimated median loss from fraud was $150,000.

It takes time and effort to recover the money stolen by perpetrators, and many organizations are never able to fully do so.

What exactly is fraud?

According to Queensland Police’s Your guide to stopping Employee fraud:

“Fraud is behaviour that is deceptive, dishonest, corrupt or unethical. For fraud to exist there needs to be an offender, a victim and an absence of control or safeguards.”

Fraud can occur in the most unlikely places and by the most unlikely individuals.

Colleen Margaret Gray, a 66 year old Principal of Mayfield Primary School in Auckland, defrauded the school of more than $30,000. Mrs Gray raised false invoices in the names of fictitious teachers and the payment was made to companies owned by her husband, Bruce Kenneth Gray. (source: Deloitte Forensic Focus)

In another case reported in 2011, a contractor bookkeeper working for a group of direct sales companies siphoned $891,000 into her possession. She used the money on luxury goods and to pay back her mother’s gambling debts. (source: Smartcompany)

Why does fraud happen?

I like to believe that people are inherently good.  For fraud to occur there needs to be both opportunity and motivation for the offender.

Business owners might not be able to control the motivations of the offender, for example gambling debts, but they can limit the opportunity.  Being aware of the risks and setting in place controls and safeguards will help to prevent fraud.

The risks dramatically increase when responsibility for the entire bookkeeping / finance function is handled by only one person (be it internally or externally).  Especially where the staff member or outsourced bookkeeper has full access to the bank account and accounting software without another staff member or authoriser involved.

What’s the potential impact of fraud?

In simple terms, if someone (other than you) has full access to your bank account, they could take everything in that bank account.

Some other common scenarios are:

  • somebody in charge of purchasing pays themselves by creating fraudulent or duplicated invoices for commonly purchased items.
  • the person in charge of payroll creates fake employees and pays themselves
  • somebody in charge of invoicing, changes the invoice bank account details to their own and then credits the invoice

Any of these scenarios could cause enough of a cashflow problem to force you out of business.

Red flags that you might be at risk of fraud

  • Your bookkeeper requests or has full access to your bank accounts and can make payments without a 2nd signatory
  • You (or another manager) are not involved in approving invoices for payment before they are paid
  • There is one bookkeeper (internal or external) doing the whole accounting function. (As an added layer of protection, you want to have a separation between the person entering bills in Xero and creating invoices, and the person who is reconciling bank transactions.)
  • Unexpected spikes in expenses or asset purchases

6 steps to protect yourself from fraud (using Xero)


Step 1 – Restrict access to authorise payments in bank accounts

Example: A bookkeeper was given access to the business bank accounts. He transferred regular amounts to his own bank account.

To prevent this make sure to restrict access to authorising payments from within your bank account to a few key people and require a 2nd signatory to authorise payments.

You can still have your bookkeeper setup the payment in the bank, but it is worth thinking about whether they should have the ability to approve payments.


Step 2 – Invoices are approved by the purchaser before they are paid

A lack of approval process in place for invoices can spell trouble for your business.

Example: Jimmy Ming Miu, an IT Manager defrauded his employer, McKay Shipping, of more than $1 million over a 6 year period. Mr Miu raised false invoices for IT equipment from Avanti Systems and Avanti Systems Integration, companies that he had control of. The IT goods were never supplied, not required or hugely overpriced. (source: Deloitte Forensic Focus)

How does your bookkeeper know whether the goods and services were received to the required standard, for each invoice?  Often they won’t, especially as the business grows and there are more people making purchases.  To avoid paying for goods / services that haven’t been received, the invoice should be ‘approved’ to indicate it can be paid.

The process in Xero looks like this:

  1. Bills are entered in Xero and sit in ‘Awaiting Approval’
  2. Once the bill has been approved it moves to ‘Awaiting Payment’
  3. Batch payments are created from invoices in the Awaiting Payment area
  4. The batch payment file is uploaded to online banking
  5. The payment file is approved in online banking


bills for approval

Click the green ‘approve’ button to approve the purchase ready for payment.

In some small businesses the business owner will be approving purchases for payment in Xero and also authorising payment in internet banking.

As a small business grows the approving of purchases is often delegated to project managers or team leaders. A business owner will usually retain control of authorising payments from within internet banking.


Step 3 – Restrict access to changing bank account details in Xero

If you are using the batch payment function in Xero, then changes to bank account details in Xero can expose you to the risk of fraud.

Example: Vicky Lee Kyle abused her position as an accounts payable clerk in Hastings by creating and submitting false invoices for payment into her bank account. Ms Kyle had access to her employer’s accounting software, whereby she changed the payment details to her own, once the false invoices had been approved for payment. Ms Kyle defrauded her employer of $660,000 over a 6 year period. (source: Deloitte Forensic Focus)

Luckily, Xero provides a way for you to restrict access to changing bank account details.  Be mindful of who has access to change supplier and employee bank account details in Xero.  Also make sure to review changes made to bank account details regularly (explained in more detail in Step 6 the Assurance Dashboard).

How to implement this in Xero:



Step 4 – Segregation of duties

The term ‘segregation of duties’ means that rather than having one person responsible for every aspect of a role, split the responsibilities among multiple people.

According to an article published by the Association of Certified Fraud Examiners, Small business fraud and the trusted employee: protecting against unique vulnerabilities:

Small businesses are particularly vulnerable to fraud because they lack the resources to implement complete systems of internal controls and properly segregate accounting duties among their limited employees.

Therefore, accounting personnel may be tasked with completely inappropriate job functions that provide easy opportunities for committing financial frauds. Furthermore, the business cultures of small businesses are developed around a concept of a “trusted family” of employees.

Consequently, placing trusted employees in positions without proper internal controls doesn’t appear to be an unreasonable decision to managers of a “family” business.

In order to prevent against this we recommend that business owners separate the roles of the person completing bank reconciliations and the person raising invoices or paying bills.  You could do this by having an internal admin staff member raise invoices and bills in Xero and then use a separate person / business like Bean Ninjas to complete the reconciliations.

Trust but verify


Most employees are generally trustworthy! But it does not hurt to conduct some data matching to make sure they are. Here is a simple approach to cross-check your vendor and employee files to see if perhaps an employee has set up a fictitious vendor.

Try comparing your supplier details with your employee file across the following variables:

  • Address
  • Phone Number
  • Bank Account Number

If there are multiple suppliers with the same details as your employees you might need to do some further investigation!


Step 5 – Regularly review your Profit and Loss statement and Balance Sheet

In the examples of Vicky Lee Kyle and Jimmy Ming Miu above, they both submitted false invoices for payment.  These false invoices would have resulted in an increase in expenses or assets in the accounts.

A monthly review of the Profit and Loss and Balance Sheet should help to identify unexpected purchases.  Before reviewing the monthly reports make sure to set your own expectations about what you are expecting to see in the reports.  If you purchased new computers for the team then you would expect to see that reflected in the accounts.

If you see an unexpected increase in assets this month then look into this account to understand why.


Step 6 – Ask your accountant to review the ‘Assurance Dashboard’ in Xero

The assurance dashboard in Xero is a great place for your accountant to help review usual activity within your Xero.

You could review the ‘contacts whose bank accounts have been edited’ section to see where bank account details have been changed.




Preventing fraud is a case of maintaining some level of control with your business finances and implementing the following safeguards:

  1. Restrict access to authorising payments from within your bank account to a few key people and require dual signatories to authorise payments
  2. Ensure that invoices are approved by the purchaser before they are paid.
  3. Restrict access to changing bank account details in Xero.
  4. Create a segregation of duties between the role of the person completing bank reconciliations and the person raising invoices or paying bills.
  5. Regularly review your Profit and Loss and Balance Sheet and make sure the figures are inline with your expectations
  6. Ask your accountant to review the ‘Assurance Dashboard’ in Xero

Are you set up in Xero to protect yourself against fraud? Make sure to follow our steps above.

Want help putting this advice into action or looking for a bookkeeper that has your best interest in mind? Contact Bean Ninjas today.


Meryl Johnston

Meryl Johnston

Co-founder at Bean Ninjas
Meryl is a Chartered Accountant, entrepreneur and surfer!

Prior to Bean Ninjas she ran a cloud accounting consulting firm, worked in both commercial accounting roles, as an auditor (BDO), and as a lecturer in accounting and audit.
Meryl Johnston
%d bloggers like this: